Smart devices are increasingly ubiquitous; the multitude of risks they pose to user privacy continues to grow, but assessing such risks comprehensively has proven difficult. In this paper, we discuss three factors which complicate the assessment of privacy risks in the context of the smart home. Firstly, smart devices are highly heterogeneous and hard to categorise, so top-down, taxonomy-oriented approaches to risk assessment do not fit well. Secondly, the threat landscape is vast, varied, and growing. Thirdly, the chief asset, personal information, is difficult to value-especially given that its value can be hugely affected by aggregation. To address these factors, we propose a novel, bottom-up approach in which the smart home ecosystem is reduced to its data-collecting capabilities (such as sensors and apps) and then privacy risk is assessed based on the information that the user exposes. We define a capability-oriented model which is system-neutral, extensible, and therefore well-suited to the fast-evolving nature of the smart home.